Lesson 8 Implementing IAM controls

Question 1

Public key infrastructure (PKI)

Answer 1

Public key infrastructure (PKI) allows the management of digital identities

Question 2

certificate authority (CA

Answer 2

certificate authority (CA) issues certificates to validated subjects (users and servers).

Question 3

The identity provider (IdP)

Answer 3

The identity provider (IdP) is the service that provisions the user account and processes authentication requests

Question 4

privilege access management (PAM)

Answer 4

privilege access management (PAM) products provide a solution for storing these high-risk credentials somewhere other than a spreadsheet and for auditing elevated privileges

Privileged access management (PAM) refers to policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts and to mitigate risks from weak configuration control over privileges.

Question 5

Discretionary access control (DAC)

Answer 5

Discretionary access control (DAC) is based on the primacy of the resource owner. The owner is originally the creator of a file or service, though ownership can be assigned to another user

Question 6

Role-based access control (RBAC)

Answer 6

Role-based access control (RBAC) adds an extra degree of centralized control to the DAC model. Under RBAC, a set of organizational roles are defined, and subjects are allocated to those roles.

Under this system, the right to modify roles is reserved to a system owner. Therefore, the system is non-discretionary, as each subject account has no right to modify the ACL of a resource, even though they may be able to change the resource in other ways

Question 7

Mandatory access control (MAC)

Answer 7

Mandatory access control (MAC) is based on the idea of security clearance levels. Rather than defining ACLs on resources, each object and each subject is granted a clearance level, referred to as a label.

Question 8

Attribute-based access control (ABAC)

Answer 8

Attribute-based access control (ABAC) is the most fine-grained type of access control model.

ABAC system is capable of making access decisions based on a combination of subject and object attributes plus any context-sensitive or system-wide attributes.

• Time of day
• IP
• Location

Question 9

Rule-based access control

Answer 9

Rule-based access control - any sort of access control model where access control policies are determined by system-enforced rules rather than system users.

As such, RBAC, ABAC, and MAC are all examples of rule-based (or non- discretionary) access control.

Question 10

Federation

Answer 10

Federation is the notion that a network needs to be accessible to more than just a well-defined group of employees.

• Trusting accounts created and managed by other networks
• SAML (Security Assertions Markup Language)-Openstandard for implementing identity
• Obtaining assertion (access) from an identy provider.
• Corporate
• User centric

Question 11

Open Authentication (OATH)

Answer 11

Open Authentication (OATH) is designed to facilitate sharing of information (resources) within a user profile between sites.

Question 12

Capture the Flag (CTF)

Answer 12

Capture the Flag (CTF) is usually used in ethical hacker training programs and gamified competitions

Question 13

Privilege Management

Answer 13

Separation of duties

Job Rotation

Question 14

Least Privilege

Answer 14

Sufficient permission to do your job

- Reduce if compromised

Question 15

Identity Management

Answer 15

Accounts can be securely associated with a digital ID

• PKI (Certs)
• SSO
• smartcard (Token)

Question 16

Vacations

Answer 16

Avoid Complacency

Used to check employees performance

Question 17

Security Account Types:

Administrator / Root

Answer 17

• Change system attributes
• Disable these accounts for security
• Assign admin permission rather than group membership

Question 18

Security Account Types:

Standard Users

Answer 18

Limited priv.
No system changes
Account profile
Password Policy
Guest Account

Question 19

Security Account Types:

Security Groups

Answer 19

Privileges assigned through group membership/multiple group membership

Question 20

Security Account Types:

Service Accounts

Answer 20

Created by OS or Service
Used by scheduled process of applications
No user interaction
-system - most privileged
-local service - same as a standard user
-Network services - same as a standard user

Linux uses services account to run a non-interactive process (Daemon)

Question 21

Account Policies

Answer 21

Enforce privilege management policy as what a user can and cannot do

Question 22

Account Attributes

Answer 22

• SID
• Acc. Name + PW
• Profile: Shares/Stores, Environment settings/identity attributes

Question 23

Group Policy/Group Membership

Answer 23

OU - Assigns group policy

• user
• computer
• group

Question 24

Password Policy

Answer 24

Domain Level

• Complexity
• Age
• History
• Account lockout

Question 25

Account Restrictions

Answer 25

• location-based
• IP address
• location services: geofencing (entering or leaving an area)

Question 26

Time based Restrictions

Answer 26

• Log on hours
• how long to access
• force log off if inactive

Question 27

Account Auditing

Answer 27

Security and audit log
Check account activity
Detect Intrusions.

Question 28

Open ID connect

Answer 28

• Authentication
• Trust relation using PII or user accounts
• PII (Personably Identifiable Information)

Question 29

Trusts

Answer 29

One way A –> B
Two way A B

Transitive Trust
A –> B
B –> C
Therefore A –> C

Question 30

Personnel Policies

Answer 30

What you can do in an agreement

• Conduct Policies
• AUP (misuse of equiptment)
• Codes of conduct
• Clean desk policy (confidential documents)

Question 31

Training

Answer 31

Security Policies
Incident Policies (Shared documents / HDD disposal)
Password Policies
Social Engineering / malware